This chapter covers Microsoft Defender for Cloud, a core tool for cloud security posture management (CSPM) and cloud workload protection (CWP) in Azure, AWS, and GCP. For the SC-200 exam, this is a high-weight domain (approximately 15-20% of questions) under Objective 3.1: 'Manage security posture and identify threats using Microsoft Defender for Cloud.' You will be tested on its features—secure score, recommendations, workload protections, and integration with Microsoft Sentinel—and must know how to configure and interpret its findings.
Jump to a section
Imagine a large office building with multiple floors, each floor representing a different cloud workload (VMs, databases, containers). The building has a central security desk that monitors all entrances, cameras, and fire alarms. This desk is Microsoft Defender for Cloud. It receives alerts from every floor: a door left open (unsecured port), a suspicious person loitering (unusual login pattern), or a smoke detector triggered (potential malware). The security desk doesn't just log these events; it correlates them—if the same person (IP address) is seen on multiple floors, it raises a priority alert. It also provides recommendations: 'Install a lock on door 3B' (enable just-in-time VM access) or 'Replace the old fire extinguisher' (update a vulnerable software package). The desk can also automatically lock down a floor if a fire is confirmed (adaptive application controls). In essence, Defender for Cloud is the centralized security command center that gives you visibility, recommendations, and automated enforcement across your entire cloud estate, whether in Azure, AWS, or GCP.
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) is a unified infrastructure security management system that strengthens the security posture of your cloud resources and provides advanced threat protection for hybrid and multi-cloud workloads. It is natively integrated into Azure but also supports AWS and GCP (via connector). For SC-200, you need to understand two main pillars: Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP).
Cloud Security Posture Management (CSPM)
CSPM is the continuous assessment of your cloud resources against security best practices and compliance standards. Defender for Cloud evaluates your environment against the Microsoft Cloud Security Benchmark (MCSB), which is derived from industry standards like CIS, NIST, and PCI DSS. The assessment results are reflected in the secure score, a percentage (0-100%) that indicates how well you are following security recommendations. Each recommendation contributes a potential score increase if remediated. For example, enabling encryption on a storage account might be worth 2 points. The secure score is calculated as (achieved score / total possible score) * 100%.
Key components of CSPM: - Recommendations: Actionable steps to improve security. Each recommendation has a severity (High, Medium, Low) and a remediation step (Fix, Quick Fix, or manual). The exam tests that not all recommendations can be auto-remediated; some require manual changes. - Regulatory compliance dashboard: Shows compliance with standards like SOC 2, ISO 27001, PCI DSS 3.2.1, and custom policies. You can add standards via Azure Policy. The dashboard maps resources to control requirements. - Inventory: A view of all protected resources across subscriptions, with security state.
Cloud Workload Protection (CWP)
CWP provides advanced threat detection and protection for specific workload types. Defender for Cloud plans (formerly Azure Defender plans) are per-resource-type subscriptions that enable enhanced security features. The exam focuses on these plans:
Defender for Servers: Integrates with Microsoft Defender for Endpoint (MDE) for unified endpoint detection and response (EDR). Provides fileless attack detection, network-level signals, and threat intelligence. Requires Azure Arc for on-premises or multi-cloud servers.
Defender for SQL: Identifies anomalous database activities (brute force, SQL injection) and provides vulnerability assessment (built-in VA scanner). The VA scanner runs weekly and reports misconfigurations and excessive permissions.
Defender for Storage: Detects unusual access patterns (e.g., anonymous access, Tor exit nodes, unusual IPs). Supports Blob Storage, Azure Files, and Data Lake Storage Gen2. Alerts are generated based on threat intelligence and machine learning.
Defender for Containers: Protects AKS, Azure Container Instances, and Azure Container Registry. Includes runtime threat detection for Kubernetes clusters (e.g., suspicious processes, privileged containers).
Defender for App Service: Detects attacks targeting web apps and APIs running on App Service. Uses global traffic analysis to identify brute force, DDoS, and SQL injection attempts.
Defender for Key Vault: Monitors access patterns to detect anomalies like unusual retrieval of secrets or access from suspicious IPs.
Defender for Resource Manager: Protects Azure Resource Manager operations, detecting suspicious activities like deployment of malicious resources or privilege escalation.
Defender for DNS: Detects DNS attacks (e.g., DNS tunneling, DGA domains) by analyzing DNS queries from Azure resources.
Defender for Open-Source Relational Databases: Protects Azure Database for PostgreSQL, MySQL, and MariaDB with threat detection.
Defender for Cosmos DB: Detects SQL injection and unusual access patterns on Cosmos DB.
Each plan has a cost per resource. The exam may ask which plan provides specific protection (e.g., 'Which Defender plan protects against SQL injection?' Answer: Defender for SQL).
Integration with Microsoft Sentinel
Defender for Cloud sends security alerts to Microsoft Sentinel (SIEM) via the Azure Sentinel connector. This allows correlation with other data sources. The exam tests that alerts from Defender for Cloud appear in Sentinel as incidents (if configured). You can also stream Defender for Cloud recommendations and secure score data to Sentinel for advanced analytics.
Key Defaults and Timers
Secure score refresh: Every 24 hours, or on-demand via API.
Recommendation scan frequency: Continuous (real-time) for most resources; vulnerability assessments (e.g., SQL VA) run weekly.
Alert retention: 90 days in the Azure portal; can be exported to Log Analytics for longer retention.
Just-in-time (JIT) VM access: Default timeout is 3 hours; can be customized per request.
Adaptive application controls: Whitelist generation takes up to 7 days of observation.
File integrity monitoring (FIM): Baseline generation takes up to 24 hours; subsequent changes are tracked.
Configuration Commands
Defender for Cloud is primarily configured via the Azure portal, but you can use PowerShell and CLI.
PowerShell example to enable Defender for Cloud on a subscription:
Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'CLI example to enable a plan:
az security pricing create -n VirtualMachines --tier standardViewing secure score via CLI:
az security secure-score listViewing recommendations:
az security recommendation listHow It Works Internally
Defender for Cloud uses a combination of agents, Azure Policy, and Microsoft’s threat intelligence. For servers, it uses the Log Analytics agent (or Azure Monitor Agent) to collect security events and performance data. For PaaS services, it leverages telemetry from the Azure fabric. The data is analyzed by machine learning models and threat intelligence feeds. Alerts are generated and correlated. The secure score is computed by aggregating compliance status of all recommendations.
Interaction with Azure Policy
Defender for Cloud recommendations are backed by Azure Policy initiatives. When you enable a Defender for Cloud plan, it automatically creates a policy assignment (e.g., 'Azure Security Benchmark') that audits and enforces controls. The exam may test that you can create custom recommendations via Azure Policy and they appear in Defender for Cloud.
Multi-Cloud Support
Defender for Cloud can protect AWS and GCP resources via connectors. You need to configure the connector (e.g., AWS CloudFormation template) to allow Defender for Cloud to scan AWS resources. For AWS, it supports EC2, EKS, and Lambda. For GCP, it supports GKE and Compute Engine. The exam may ask which cloud providers are supported (AWS, GCP) and what resources are covered (e.g., AWS S3 buckets, EC2 instances).
Enable Microsoft Defender for Cloud
On the Azure portal, navigate to Microsoft Defender for Cloud. The first time you open it, you'll see a welcome screen. You must enable Defender for Cloud at the subscription level. By default, the free tier (CSPM only) is enabled. To enable enhanced security (CWP), you need to turn on individual Defender plans (e.g., Defender for Servers). This is done via the 'Environment settings' blade. For each subscription, you can toggle plans on/off. Each plan has a per-resource cost. The exam expects you to know that enabling a plan applies to all current and future resources of that type in the subscription.
Review Secure Score and Recommendations
After enabling, the dashboard shows your secure score (percentage) and a list of recommendations. Each recommendation has a 'Potential score increase' if remediated. Click on a recommendation to see affected resources and remediation steps. Some recommendations have a 'Fix' button that auto-remediates (e.g., 'Enable encryption on storage accounts'). Others require manual steps (e.g., 'Install endpoint protection'). The secure score is updated every 24 hours. The exam tests that the secure score is a percentage and that it only counts supported recommendations (not all).
Configure Regulatory Compliance
Go to the 'Regulatory compliance' blade under Defender for Cloud. Here you can add compliance standards (e.g., SOC 2, PCI DSS). Adding a standard creates an Azure Policy initiative that audits resources. The dashboard shows compliance status per control. The exam may ask how to add a custom standard (answer: via Azure Policy). You can also export compliance data to Log Analytics or Event Hubs.
Enable Workload Protection Plans
In 'Environment settings', select a subscription or management group. Under 'Defender plans', you can enable specific plans. For example, to protect VMs, toggle 'Servers' to On. For SQL databases, toggle 'SQL servers on machines' (for on-prem) or 'Azure SQL databases'. The exam tests that enabling a plan for a management group applies to all child subscriptions. Also, note that some plans require additional configuration (e.g., Defender for Servers requires the Log Analytics agent on VMs).
Investigate Security Alerts
When a threat is detected, an alert appears in the 'Security alerts' blade. Each alert has a severity (Low, Medium, High, Critical), a description, affected resources, and remediation steps. You can view the alert details, including the kill chain (MITRE ATT&CK tactics). Alerts can be exported to Sentinel or to a SIEM via continuous export. The exam may ask how to investigate an alert (e.g., use the 'Inspect' feature to see raw logs).
Enterprise Scenario 1: Multi-Cloud Compliance Monitoring
A financial services company runs workloads in Azure and AWS. They need to comply with PCI DSS. They enable Defender for Cloud in Azure and connect their AWS account via the AWS connector. Defender for Cloud scans both environments and reports compliance against PCI DSS. The secure score shows a 72% compliance level. The security team prioritizes recommendations that increase the score, such as enabling encryption on S3 buckets and Azure Storage. They use the regulatory compliance dashboard to generate reports for auditors. A common issue is that the AWS connector requires periodic re-authentication; if the role expires, data stops flowing and the dashboard becomes stale.
Enterprise Scenario 2: Threat Detection for Hybrid Servers
A retail company has 500 on-premises servers and 200 Azure VMs. They enable Defender for Servers (standard plan) and install the Log Analytics agent on all servers via Azure Arc. Defender for Cloud integrates with Microsoft Defender for Endpoint (MDE) to provide EDR. One day, an alert fires for a server running a suspicious PowerShell script. The security analyst opens the alert, sees the MITRE ATT&CK tactic (Execution), and uses the 'Live Response' feature (via MDE) to investigate the process tree. They find a fileless malware. They isolate the server via Defender for Cloud's 'Take action' menu. The exam scenario might ask: 'Which plan provides EDR integration?' Answer: Defender for Servers.
Enterprise Scenario 3: Protecting Kubernetes Workloads
A tech startup runs AKS clusters. They enable Defender for Containers. The plan monitors cluster activities and detects a container running with elevated privileges (a common misconfiguration). It also detects a suspicious network connection to a known malicious IP. Defender for Cloud recommends enabling 'Azure Policy for Kubernetes' to enforce pod security policies. The team uses the recommendations to harden their cluster. A performance consideration: enabling audit logs for AKS increases log volume; Defender for Cloud processes these logs. If the cluster is large (100+ nodes), the cost of the Defender plan may be significant.
What SC-200 Tests on Microsoft Defender for Cloud (Objective 3.1)
The exam focuses on:
Understanding the difference between CSPM (free) and CWP (paid) features.
Knowing which Defender plan protects which workload (e.g., Defender for SQL for SQL injection, Defender for Storage for anomalous access).
Secure score calculation (percentage, not points).
How to enable and configure Defender plans at subscription and management group level.
Integration with Microsoft Sentinel (alerts become incidents).
Multi-cloud support (AWS and GCP connectors).
Regulatory compliance (adding standards, custom policies).
JIT VM access and adaptive application controls.
Common Wrong Answers and Why
'Secure score is based on the number of recommendations remediated.' Wrong. It's a percentage of achieved score / total possible score. Each recommendation has a potential point value.
'Defender for Cloud protects on-premises servers without any agent.' Wrong. On-premises servers need Azure Arc and the Log Analytics agent (or Azure Monitor Agent) to be protected.
'Enabling a Defender plan at the subscription level protects only existing resources.' Wrong. It protects all current and future resources of that type.
'Defender for Cloud can replace Microsoft Sentinel.' Wrong. Defender for Cloud is a CSPM/CWP tool; Sentinel is a SIEM. They complement each other.
Specific Values and Terms on the Exam
Secure score range: 0% to 100%.
Alert severity levels: Low, Medium, High, Critical.
Supported compliance standards: Azure CIS, PCI DSS, SOC TSP, ISO 27001, etc.
Default JIT timeout: 3 hours.
VA scan frequency for SQL: weekly.
Connector types: AWS and GCP.
MITRE ATT&CK framework used in alert details.
Edge Cases and Exceptions
If a subscription is moved to a new management group, Defender plans may be inherited or overridden.
Some recommendations are not included in secure score (e.g., those requiring manual verification).
Defender for Containers requires Azure Policy for Kubernetes to be enabled for certain recommendations.
The free tier provides only CSPM; no threat detection.
How to Eliminate Wrong Answers
If the question mentions 'threat detection' or 'alerts', it must be a paid plan (CWP).
If the question mentions 'secure score' or 'recommendations', it could be free tier.
If the question mentions 'multi-cloud', look for AWS or GCP connectors.
If the question mentions 'regulatory compliance', look for standards like PCI DSS.
If the question mentions 'integration with Sentinel', the correct answer involves the data connector for Defender for Cloud.
Microsoft Defender for Cloud has two tiers: free (CSPM) and enhanced (CWP with Defender plans).
Secure score is a percentage (0-100%) of achieved score divided by total possible score.
Defender plans must be enabled per subscription or management group; they protect all resources of that type.
Defender for Servers integrates with Microsoft Defender for Endpoint for EDR.
Defender for SQL provides vulnerability assessment and threat detection for SQL databases.
Defender for Storage detects anomalous access patterns (e.g., Tor exit nodes).
Defender for Containers protects AKS, ACI, and ACR with runtime threat detection.
Defender for Cloud supports multi-cloud (AWS and GCP) via connectors.
Alerts from Defender for Cloud can be sent to Microsoft Sentinel via the Azure Sentinel connector.
JIT VM access default timeout is 3 hours; adaptive application controls require 7 days of observation.
Regulatory compliance dashboards use Azure Policy initiatives to audit controls.
The exam tests which Defender plan protects specific workloads (e.g., Defender for SQL for SQL injection).
These come up on the exam all the time. Here's how to tell them apart.
Free Tier (CSPM)
Continuous assessment of security posture
Secure score and recommendations
Regulatory compliance dashboard (limited standards)
No threat detection or alerts
No integration with Microsoft Defender for Endpoint
Enhanced Security (CWP with Defender Plans)
Includes all free tier features
Advanced threat detection for workloads (alerts)
Integration with Microsoft Defender for Endpoint (for servers)
File integrity monitoring (FIM), JIT VM access, adaptive application controls
Per-resource cost; covers all current and future resources of the enabled type
Mistake
Defender for Cloud is a SIEM tool.
Correct
Defender for Cloud is a CSPM and CWP tool. It provides security posture management and threat detection, but it is not a SIEM. Microsoft Sentinel is the SIEM. Defender for Cloud integrates with Sentinel by sending alerts.
Mistake
The secure score is a count of remediated recommendations.
Correct
The secure score is a percentage (0-100%) calculated as (achieved score / total possible score) * 100%. Each recommendation contributes a potential score increase.
Mistake
All Defender plans are enabled by default.
Correct
Only the free tier (CSPM) is enabled by default. Paid plans (e.g., Defender for Servers) must be explicitly enabled per subscription or management group.
Mistake
Defender for Cloud can protect on-premises servers without any agent.
Correct
On-premises servers require Azure Arc and the Log Analytics agent (or Azure Monitor Agent) to be managed. Without the agent, Defender for Cloud cannot collect security events.
Mistake
JIT VM access is available for all VMs without configuration.
Correct
JIT VM access must be enabled on each VM that supports it (Azure Resource Manager VMs). By default, it is not enabled. Once enabled, you can request access for a limited time (default 3 hours).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) tool that assesses your environment and provides threat detection for cloud workloads. Sentinel is a Security Information and Event Management (SIEM) tool that collects logs from multiple sources (including Defender for Cloud) and correlates them to detect and respond to threats. They are complementary: Defender for Cloud provides security posture and alerts, while Sentinel provides advanced analytics and incident management.
In Defender for Cloud, go to 'Environment settings' and select 'Add environment' > 'Amazon Web Services'. You will need to provide your AWS account ID and create an IAM role in AWS using a CloudFormation template. Once connected, Defender for Cloud will scan your AWS resources (EC2, EKS, Lambda) and provide recommendations and threat detection. The connector must be refreshed if the IAM role expires.
Enable Defender for SQL (Azure SQL databases) and/or Defender for SQL servers on machines (for SQL on VMs). Defender for SQL provides vulnerability assessment (weekly scan) and threat detection (SQL injection, brute force). The plan is per database or per logical server.
Yes. Use the 'Microsoft Defender for Cloud' data connector in Sentinel. When configured, all alerts from Defender for Cloud are ingested into Sentinel as incidents. You can also stream recommendations and secure score data using the 'Continuous export' feature to Log Analytics, and then connect that workspace to Sentinel.
The default timeout is 3 hours. When you request JIT access to a VM, you can specify a shorter duration (minimum 30 minutes) or up to 8 hours (if allowed by policy). The policy can be customized per subscription.
The secure score is recalculated approximately every 24 hours. However, you can trigger an on-demand refresh using the Azure REST API. The score reflects the latest compliance status of recommendations.
A recommendation is a suggestion to improve your security posture (e.g., 'Enable encryption on storage accounts'). An alert is a notification of a detected threat (e.g., 'Malicious SQL injection attempt'). Recommendations are part of CSPM; alerts are part of CWP (enhanced security).
You've just covered Microsoft Defender for Cloud — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?